Learn from mistakes made in US security

Think the US does IT security best? Think again

I have noticed something strange when I am in Europe talking about computer security. I have heard people say things, in a self-deprecating tone, such as, "This is not CIA-quality security, but it will probably do" There is an implicit assumption that US computer security - particularly the government's - is at a level to which few can aspire.

Let me set the record straight. If you are labouring under the false impression that the US government has fantastic security, you are wrong.

Do you imagine that the country's nuclear secrets are stored in a bomb-proof bunker, where machines run custom operating systems with biometric smartcards and military-grade encrypted file systems?

On the contrary. As we have seen, idiots at Los Alamos National Labs were periodically e-mailing nuclear secrets in the clear across ordinary networks.

Lost FBI laptops

The FBI admits that in the past four years it has lost over 150 laptops, including some containing classified information.

Then there is the "approximately 10Tbytes" of data that a US Air Force spokesman admitted left the "sensitive but unclassified" Department of Defense networks heading, "we think, to China".

Taken together, all of the news you hear about IT incompetence and mismanagement should leave you in no doubt. You Europeans need to form a more accurate picture of how bad things really are over here.

When I hear Europeans looking up to the US government, I wonder, "Are things that bad here?" But then I realise that there is simply no possible way that European governments could have security that is worse than the US government's - short of having no security at all.

Patience will pay

I think it must be purely a problem of perception. Some of that perception is founded in truth most of the world is still behind the US in terms of IT innovation. In terms of security, that spells opportunity for other countries. The opportunity to sit and wait, and see how it pans out before you decide to try it.

For example, the current fad in the US is for the government to outsource everything it can. Is that going to result in a huge improvement in security and functionality, as the low-cost provider replaces incompetent federal workers?

Or is it going to result in massive leaks of information as we turn the critical processes of government over to whoever wants to do it? Europe has the opportunity to sit back, watch, assess and learn. But do it with your eyes open do not simply assume that because the Americans are doing it, it is a good idea.

As information becomes increasingly critical to the workings of government, warfare and economics, the need to protect these assets will become commensurately serious.

Now is the time to "make haste, slowly" and to make sure that the perceptions upon which you base your decisions are clear and ­accurate.

US Navy searches for hundreds of missing computers >>

Nottingham hospital in USB data-theft scare >>

Business data protection: the expert view >>

Comment on this article: [email protected]

Read more on IT risk management